Microsoft Entra

A few weeks ago, I released an article about why you should consider Microsoft for your IT Security. I talked about how Microsoft’s solution has matured and how it can help organisations do more with less. Now I would like to talk about what that solution could look like as an end-to-end suite of tools that can help protect your identities, endpoints, data, applications, and infrastructure.

To do this, I aim to release a series of articles that introduce each pillar of the Microsoft Security Suite, with an overview of its capabilities, features, and what role it performs in the solution.

The Microsoft Security suite of products contains the following:

• Microsoft Defender 365 – Defend across the Attack Chain to protect against external threats.
• Microsoft Sentinel – Collect, analyse, and respond to alerts and incidents picked up by your security tools, such as Defender, Entra and Purview.
• Microsoft Entra – Identity and Access Management platform that can protect your identities and access to your corporate resources.
• Microsoft Intune – Endpoint Management platform that manages and secures all endpoints in your estate.
• Microsoft Purview – Secure your sensitive data and protect against internal threats.
• Microsoft Priva – Manage the risks of handling sensitive information within Microsoft 365.

The third pillar is Microsoft Entra, which I will discuss in this article. Microsoft Entra is Microsoft’s cloud-native Identity and Access platform. Entra is a new name in the Microsoft landscape, replacing Azure Active Directory as the Identity brand. Entra is cloud-based, and native to Microsoft 365 but can integrate seamlessly with on-premises Active Directory for synchronised Identity. It can also integrate with third-party SaaS applications to be the Identity Provider (iDP) allowing for single identities to be used by users accessing their applications.

The flexibility and focus on Identity are where Entra fits in to the Microsoft end-to-end security solution. Entra can be used to secure and protect identities, including risk-based analysis and provide secure access to company resources. Recent announcement also shows Entra moving into a Secure Service Edge (SSE) solution with Private Access, providing an alternative to complex VPN solutions.

Protecting your identities: How Microsoft Entra keeps your users safe

In the modern landscape, Identities are the control plane. They are heavily involved in providing access to resources, which we will look at in the next section. So therefore, they are a natural target for attackers to attempt to compromise. In Microsoft Digital Defence Reporrt 2023, they stated that they blocked an average of 4,000 password attacks per second. That is, quite frankly, staggering. The report also showed that there was a more than double increase of attacks in April 2023.

It quite clearly shows that Identities are under constant attack. And regardless of whether the identity is privileged or not (it takes less than 2 hours for an attacker to move laterally once they compromise a general user account), protecting them is crucial. Entra provides the following features to help with the protection of your identities:

Entra Multi-Factor Authentication (MFA)

MFA is still a fundamental for cyber hygiene. In the Microsoft Digital Defender Report 2023 enabling MFA found that it reduces the risk of compromise by 99.2 percent.

The Entra MFA service is simple to enable and integrate with other Entra services, such as Conditional Access. You have the option of several second factor methods from SMS to hardware token, including the Microsoft Authenticator App, which is quickly becoming the default option for users in my experience.

It is also extremely easy to be able to ensure that users are registered for the service through Registration Policies, Registration Campaigns and Conditional Access. In my opinion, there is no reason that users should not be at least registered for MFA. And I feel that prompts for MFA should be in certain situations, rather than every login to reduce MFA fatigue and ensure that MFA continues to be as strong at protecting accounts as it currently is. Microsoft have recently released “Number Matching” to protect against MFA fatigue where the user is required to enter a number on their mobile application to gain access to the system. There are exceptions to the rule, as I would expect to see any privileged account have to provide MFA before gaining access to any administration console to make a change.

Entra MFA is available to all users in every tenant. However, in a tenant that uses Entra ID Free, Security Defaults must be used. Full licensing capabilities for Entra MFA can be found here.

Entra Authentication Methods

There are several methods of authentication to resources integrated with Microsoft Entra. There are the traditional password-based methods for cloud and synchronised identities, such as Password Hash Sync. Federated methods such as Active Directory Federation Services (ADFS) are still in use, however considered legacy forms of authentication now. And then there are passwordless authentication methods.

Passwordless authentication is becoming a large talking point for several reasons:

1. It’s more secure than using just a password to authenticate.
2. It’s much more user friendly (No more passwords!! Yes please!!)

Entra comes with 9 passwordless authentication methods that can be enabled. These range from SMS, to certificates, to Windows Hello for Business, to the Microsoft Authenticator app. Each can be enabled and trialled out in your tenant. Passwordless authentication methods are available in all Entra ID versions. A number of these authentication methods provide phishing resistant MFA (FIDO 2, Windows Hello for Business and Certificate Based) which provide protection against compromise via phishing attacks.

With the number of password attacks increasing recently, now is the time to take a passwordless approach to authentication seriously and reduce the risk surface of your identities?

Entra Identity Protection

Entra Identity Protection provides risk-based analysis on your users and their sign-in attempts. A user’s risk level is altered depending on the actions they take within your tenant. For instance, if suddenly, a user accesses a SharePoint site, they have never accessed and deletes 100’s of documents or shares them with external parties, their risk level will increase as those actions will be deemed as abnormal.

Sign-in attempts are also monitored with risks being associated depending on several factors, such as time, location, device, application and more. For example, a user logs in as they normally do in the morning, but 15 minutes later there is a sign-in attempt from a location outside of the country. This would be flagged as impossible travel and the risk level of this attempt increased.

The analysis of this information can then be actioned on with Conditional Access rules to protect your user’s identities and your company resources. For example, if a user has a high risk, we can block access to the tenant. And this can be actioned live, without the need for the user to re-authenticate to block access.

Identity Protection is available with an Entra P1 license. However, this only provides the logs and reporting and does not allow integration with Conditional Access. This requires an Entra P2 license.

External Identities

Sharing content with external users has always been a challenge for IT teams. A modern method of achieving this is by allowing external identities access to your M365 tenant to access resources shared with them.

An external identity is an account in your tenant, but they authenticate directly with their own Identity Provider. An example is a M365 account that resides in another M365 tenant. When they authenticate to access your resources, they do so against their own tenant and policies. However, you can configure additional requirements for these types of users to access your resources through Conditional Access. Controls such as MFA can be enforced to external accounts.

New organisational settings in Entra allow for defined organisations access to your tenant along with certain trust-based settings, such as trusting MFA or compliant devices from another Entra tenant. This allows for seamless federation between trusted tenants whilst ensuring that unknown tenants and external users must abide by your access controls. Entra can also prevent users from being able to share with unknown external identities to further protect your resources.

Securing external identities accessing your resources can be configured from any Entra ID version.

Access Reviews

One common theme in all IT Teams, is inactive accounts being forgotten and left enabled. IT teams do their best to clean this up, however, it still happens. Microsoft Entra provides Access Reviews that can be enabled to provide administrators with visibility on inactive users, including external users, user access to sensitive data and administrators with roles that are no longer used.

These reports can be configured to run on schedules and will provide recommendations on what actions to take, or automatically remove users from groups or roles if configured to do so. This can help remove the burden on IT for maintaining access to applications, sensitive information, administrative roles for internal and external users, further protecting identities in your tenant.

Access Reviews require an Entra P2 or Entra ID Governance license depending on the type of Access Review you wish to run.

Simplifying Secure Access: How Microsoft Entra integrates into a Zero Trust solution

Zero Trust is a massive topic, and Microsoft has various features that are part of a Zero Trust solution. However, the following features in Entra are a massive part of any Zero Trust solution and even on their own are valuable to protect your corporate resources.

Conditional Access

Conditional Access is the heartbeat of User Access in Microsoft Entra and fits perfectly with the Zero Trust principle “Verify Explicitly.” This principal is about validating all available data points for authentication to resources. Conditional Access uses Modern Authentication, which provides information, such as Device Operating System (OS), location, Client App, Device Health and more in an authentication request.

All these signals can then be used as conditions in Conditional Access policies to dictate what Access Controls, if any, must be enforced before the user is granted access to the resource. Controls may include requiring MFA, requiring a compliant device, or even just requiring the terms of use be signed. If the controls are not met, then the user does not get access. And of course, it could be that is certain conditions are met, the user is blocked access.

The policies not only work with your users but can be assigned to external identities too, enforcing controls they must meet before being allowed access to your resources.

Some examples of Conditioal Access policies could be:

• Require multi-factor authentication (MFA) for all users accessing sensitive data.
• Block users from accessing resources from unmanaged devices.
• Require users to change their passwords when their account is deemed as a high risk.
• Block all forms of legacy auithentication.

A new feature recently in Conditional Access is “Authentication Context.” The idea of Authentication Contexts is to trigger additional Conditional Access policies when certain actions are taken in the tenant, such as accessing Sensitive Information. In this example, a user may be allowed access to M365 with a compliant device only. But then accessing a document with a certain classification will trigger the authentication context, requiring MFA to be able to open the document.

These access controls validate the trust required as part of a Zero Trust solution for User Access. And the evaluation of access is continual in the service. For example, should a user require a compliant device for access, but then that device becomes noncompliant, they will be blocked from accessing the application as soon as this is recognised within Entra.

Another extension of Conditional Access is Conditinal Access App Control. When integrated with Defender for Cloud Apps, we can control what actions can be performed in the app itself. As an exmaple you could integrate Mircosoft 365 and use App Control to prevent downloads, protect on download (apply a sensitivity label) or monitor user sessions for compliance. Typically this is configured for different conditions, such as when

Conditional Access is available to those with at least an Entra Premium P1 license. Access to risk-based conditions requires an Entra Premium P2 license.

Privileged Identity Management

The second Zero Trust principal that Entra can assist with is “Use Least Privilege.” The aim is to reduce risk of privileged access and access to sensitive information by providing just enough and just in time access. For access to sensitive information, we can rely on authentication context with Conditional Access. For privileged access, Entra has another service called Entra Privileged Identity Management, or PIM for short.

PIM allows administrators to be active or eligible for their privileges within M365. If their privileges are active, then they always have access to them. If they are eligible, then the administrator must request access to the privileges. And once approved, automatically or by an approvers group, their privileges are enabled, and they can administer the tenant as their role allows. The privileges are also enabled for a set period, for instance 2 hours. Once the time has expired, the privileges are lost and must be requested again.

Just in time privileged access reduces the risk of compromise. Temporary privileges require an attacker to work within a limited time window. If you have access to PIM, it is recommended to be configured to protect privileged accounts. It reduces the risk of those accounts as, at rest, they do not have the privileges to harm the tenant. If such an account is compromised and the privileges are requested, then it can at least prompt suspicion and questions by an approvers group, if one exists. This would lead to an investigation with the compromised account being blocked from causing any further damage.

PIM requires an Entra P2 license to configure.

Say Goodbye to Legacy VPNs: Entra’s newest feature Private Access

Microsoft has had an alternative to Virtual Private Networks (VPN) for many years in the Azure AD Application Proxy feature. For certain apps, especially web-based, you could use the App Proxy agents to open secure outbound tunnels to Azure endpoints. You could then publish an application through Entra, and users can then access the application through the open tunnel, whilst using Entra ID authentication to ensure users validate their identity.

However, this service has its limitations and in my experience was not as widely adopted as it could have been. Mainly because many organisations still had other requirements for a VPN.

However, Microsoft recently announced Microsoft Entra Private Access, which is a Zero Trust Network Access (ZTNA) solution. This solution is an alternative for VPNs by providing remote access to on-premises applications with the additional capability to Enforce MFA and other Conditional Access controls on access. And all of this can be configured on a per app basis which allows a proficient level of control when several apps need to be accessed remotely.

This is a new feature and is still in preview. It is something I want to play around with a lot more and aim to do so soon.

Summary

So that is a roundup of the security features available within Microsoft Entra and how it can be used to protect identities and be part of a Zero Trust solution.

Entra does provide more than just Identity security, it also has the following features:

• Identity Governance features that can help with the ongoing maintenance of user identities.
• Entra Domain Services providesmanaged Domain Services in the cloud. Features such as domain join, grouop policy and more can be configuered without having to deploy and manage Domain Controllers.

Both of the above can still contribute to Security but are worthy of their own articles, so maybe one day…

The next post in this series will be focused on Microsoft Intune, which is the Endpoint Management platform native to M365.